Critical VPN Client Vulnerabilities Enable Remote Code Execution Through Fake Update Servers

· 1 min read

article picture

Security researchers have uncovered serious vulnerabilities in popular corporate VPN clients that could allow attackers to remotely execute malicious code on users' devices through fake update servers.

The vulnerabilities, identified as CVE-2024-5921 and CVE-2024-29014, affect Palo Alto Networks' GlobalProtect and SonicWall's NetExtender VPN clients respectively. Both flaws stem from insufficient validation of software updates.

In the case of GlobalProtect, attackers can potentially trick users into connecting to malicious VPN servers that could install unauthorized root certificates and deliver malware-infected updates. The vulnerability impacts Windows, macOS, and Linux versions of the app.

For NetExtender users running versions 10.2.339 and earlier on Windows, attackers could execute code with system-level privileges by exploiting flaws in how the client handles End Point Control updates.

"VPN clients are indispensable for secure remote access, but their elevated system privileges present an enormous attack surface," noted AmberWolf researchers Richard Warren and David Cash, who discovered the vulnerabilities.

The attack scenarios typically involve social engineering - convincing users to connect to rogue VPN servers that can then push malicious updates. For NetExtender specifically, simply visiting a malicious website or opening a compromised document could trigger the attack if certain conditions are met.

Palo Alto Networks has released patches for the Windows version of GlobalProtect (version 6.2.6 and later), while fixes for macOS and Linux are still pending. SonicWall addressed the issue in NetExtender version 10.2.341.

As an interim measure, security experts recommend implementing host-based firewall rules to prevent connections to unauthorized VPN servers. Organizations should also expedite the deployment of available patches.

The researchers have released NachoVPN, an open-source tool demonstrating how attackers could exploit these vulnerabilities, highlighting the urgency for organizations to address these security gaps.